Merge "Extending "Shared Zones" test coverage"
diff --git a/.zuul.yaml b/.zuul.yaml
index 31a06dd..b3c1bbf 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -1,4 +1,10 @@
- job:
+ name: designate-bind9-stable-antelope
+ parent: designate-bind9
+ nodeset: openstack-single-node-focal
+ override-checkout: stable/2023.1
+
+- job:
name: designate-bind9-stable-zed
parent: designate-bind9
nodeset: openstack-single-node-focal
@@ -31,6 +37,7 @@
- release-notes-jobs-python3
check:
jobs:
+ - designate-bind9-stable-antelope
- designate-bind9-stable-zed
- designate-bind9-stable-yoga
- designate-bind9-stable-xena
diff --git a/designate_tempest_plugin/tests/api/v2/test_blacklists.py b/designate_tempest_plugin/tests/api/v2/test_blacklists.py
index 6dced4c..48b3028 100644
--- a/designate_tempest_plugin/tests/api/v2/test_blacklists.py
+++ b/designate_tempest_plugin/tests/api/v2/test_blacklists.py
@@ -58,9 +58,7 @@
self.assertExpected(blacklist, body, self.excluded_keys)
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_CUD_RBAC_enforcement('BlacklistsClient', 'create_blacklist',
expected_allowed, False)
@@ -100,9 +98,10 @@
LOG.info('Ensure the fetched response matches the created blacklist')
self.assertExpected(blacklist, body, self.excluded_keys)
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin', 'os_system_reader']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'BlacklistsClient', 'show_blacklist', expected_allowed, False,
@@ -121,9 +120,7 @@
# A blacklist delete returns an empty body
self.assertEqual(body.strip(), b"")
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_CUD_RBAC_enforcement(
'BlacklistsClient', 'delete_blacklist', expected_allowed, False,
@@ -141,9 +138,10 @@
# TODO(pglass): Assert that the created blacklist is in the response
self.assertGreater(len(body['blacklists']), 0)
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'BlacklistsClient', 'list_blacklists',
@@ -168,9 +166,7 @@
self.assertEqual(pattern, body['pattern'])
self.assertEqual(description, body['description'])
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_CUD_RBAC_enforcement(
'BlacklistsClient', 'update_blacklist', expected_allowed, False,
diff --git a/designate_tempest_plugin/tests/api/v2/test_pool.py b/designate_tempest_plugin/tests/api/v2/test_pool.py
index 57f5234..27f6e9d 100644
--- a/designate_tempest_plugin/tests/api/v2/test_pool.py
+++ b/designate_tempest_plugin/tests/api/v2/test_pool.py
@@ -102,10 +102,10 @@
# TODO(johnsom) Test reader roles once this bug is fixed.
# https://bugs.launchpad.net/tempest/+bug/1964509
# Test RBAC
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
# TODO(johnsom) The pools API seems inconsistent with the requirement
# of the all-projects header.
diff --git a/designate_tempest_plugin/tests/api/v2/test_recordset.py b/designate_tempest_plugin/tests/api/v2/test_recordset.py
index 1526ccf..2249a68 100644
--- a/designate_tempest_plugin/tests/api/v2/test_recordset.py
+++ b/designate_tempest_plugin/tests/api/v2/test_recordset.py
@@ -297,10 +297,10 @@
self.zone['id'], recordset_id)
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'RecordsetClient', 'show_recordset', expected_allowed, True,
diff --git a/designate_tempest_plugin/tests/api/v2/test_service_statuses.py b/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
index c1f634b..0b63f21 100644
--- a/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
+++ b/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
@@ -73,10 +73,10 @@
"services: {}".format(services_statuses_tup))
# Test RBAC
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin', 'os_system_reader']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ServiceClient', 'list_statuses', expected_allowed, False)
diff --git a/designate_tempest_plugin/tests/api/v2/test_shared_zones.py b/designate_tempest_plugin/tests/api/v2/test_shared_zones.py
index 9bab802..ecdb7c1 100644
--- a/designate_tempest_plugin/tests/api/v2/test_shared_zones.py
+++ b/designate_tempest_plugin/tests/api/v2/test_shared_zones.py
@@ -125,7 +125,6 @@
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
- expected_allowed.append('os_system_reader')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
self.check_CUD_RBAC_enforcement(
@@ -178,7 +177,6 @@
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
- expected_allowed.append('os_system_reader')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
self.check_CUD_RBAC_enforcement(
diff --git a/designate_tempest_plugin/tests/api/v2/test_tld.py b/designate_tempest_plugin/tests/api/v2/test_tld.py
index a8b03f1..a74edc1 100644
--- a/designate_tempest_plugin/tests/api/v2/test_tld.py
+++ b/designate_tempest_plugin/tests/api/v2/test_tld.py
@@ -148,10 +148,10 @@
self.assertExpected(tld, body, self.excluded_keys)
# Test RBAC
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin', 'os_system_reader']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TldClient', 'show_tld', expected_allowed, False, tld['id'])
@@ -191,10 +191,10 @@
self.assertGreater(len(body['tlds']), 0)
# Test RBAC
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'TldClient', 'list_tlds', expected_allowed, [tld['id']],
diff --git a/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py b/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
index 7cc9f11..94c661a 100644
--- a/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
+++ b/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
@@ -121,6 +121,9 @@
expected_allowed = ['os_admin', 'os_primary', 'os_alt']
if CONF.dns_feature_enabled.enforce_new_defaults:
expected_allowed.append('os_system_admin')
+ # Note: system_reader is allowed because this API RBAC is based
+ # on the target project ID. It will return a 401 instead of
+ # a 403.
expected_allowed.append('os_system_reader')
expected_allowed.append('os_project_member')
expected_allowed.append('os_project_reader')
@@ -185,10 +188,10 @@
True, transfer_accept['id'])
# Test RBAC with x-auth-all-projects
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
@@ -278,20 +281,20 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_RBAC_enforcement_count(
'TransferAcceptClient', 'list_transfer_accept',
expected_allowed, 0)
# Test that users who should see the zone, can see it.
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_IDs_RBAC_enforcement(
'TransferAcceptClient', 'list_transfer_accept',
@@ -400,10 +403,10 @@
self.wait_zone_delete, self.alt_zone_client, zone['id'])
# Test RBAC with x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
diff --git a/designate_tempest_plugin/tests/api/v2/test_transfer_request.py b/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
index c646c2b..20c68ed 100644
--- a/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
+++ b/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
@@ -160,20 +160,19 @@
# Test RBAC
# Note: The create service client does not define a target project
# ID, so everyone should be able to see it.
- expected_allowed = ['os_admin', 'os_primary', 'os_alt']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_system_reader',
- 'os_project_member', 'os_project_reader'])
+ expected_allowed = ['os_admin', 'os_primary', 'os_alt',
+ 'os_system_admin', 'os_system_reader',
+ 'os_project_member', 'os_project_reader']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
True, transfer_request['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
@@ -244,11 +243,12 @@
self.assertExpected(transfer_request, body, excluded_keys)
# Test RBAC when a transfer target project is specified.
- expected_allowed = ['os_primary', 'os_alt']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed.extend(['os_system_admin', 'os_project_member'])
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_primary', 'os_alt',
+ 'os_system_admin', 'os_project_member']
else:
- expected_allowed.append('os_admin')
+ expected_allowed = ['os_primary', 'os_alt', 'os_admin',
+ 'os_system_admin', 'os_project_member']
self.check_list_show_RBAC_enforcement(
'TransferRequestClient', 'show_transfer_request', expected_allowed,
@@ -304,8 +304,7 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_admin']
+ expected_allowed = ['os_system_admin', 'os_admin']
else:
expected_allowed = ['os_alt']
diff --git a/designate_tempest_plugin/tests/api/v2/test_tsigkey.py b/designate_tempest_plugin/tests/api/v2/test_tsigkey.py
index 6ceeaca..926797f 100644
--- a/designate_tempest_plugin/tests/api/v2/test_tsigkey.py
+++ b/designate_tempest_plugin/tests/api/v2/test_tsigkey.py
@@ -145,9 +145,11 @@
self.assertGreater(len(body['tsigkeys']), 0)
# Test RBAC
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader']
+ if CONF.enforce_scope.designate:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
+
self.check_list_IDs_RBAC_enforcement(
'TsigkeyClient', 'list_tsigkeys', expected_allowed,
[tsigkey['id']])
@@ -409,9 +411,10 @@
self.assertExpected(tsigkey, body, self.excluded_keys)
# Test RBAC
- expected_allowed = ['os_admin']
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin', 'os_system_reader']
+ else:
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'TsigkeyClient', 'show_tsigkey', expected_allowed, True,
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones.py b/designate_tempest_plugin/tests/api/v2/test_zones.py
index 40055cc..d99f31b 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones.py
@@ -171,10 +171,10 @@
'ZonesClient', 'show_zone', expected_allowed, True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone', expected_allowed, False, zone['id'],
@@ -281,8 +281,7 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_admin']
+ expected_allowed = ['os_system_admin', 'os_admin']
else:
expected_allowed = ['os_alt']
@@ -437,10 +436,10 @@
True, zone['id'])
# Test with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZonesClient', 'show_zone_nameservers', expected_allowed,
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones_exports.py b/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
index 0e6d54b..5ca5495 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones_exports.py
@@ -129,10 +129,10 @@
zone_export['id'])
# Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
@@ -164,10 +164,10 @@
zone_export['id'], listed_export_ids))
# Test RBAC with x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneExportsClient', 'show_zone_export', expected_allowed, True,
@@ -229,8 +229,7 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_admin']
+ expected_allowed = ['os_system_admin', 'os_admin']
else:
expected_allowed = ['os_alt']
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones_imports.py b/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
index d9ef8e9..025fa9a 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
@@ -159,10 +159,10 @@
zone_import['id'])
# Test with x-auth-all-projects
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
@@ -233,8 +233,7 @@
# Test RBAC - Users that are allowed to call list, but should get
# zero zones.
if CONF.dns_feature_enabled.enforce_new_defaults:
- expected_allowed = ['os_system_admin', 'os_system_reader',
- 'os_admin']
+ expected_allowed = ['os_system_admin', 'os_admin']
else:
expected_allowed = ['os_alt']
@@ -307,10 +306,10 @@
zone_import, resp_body['imports'][0], self.excluded_keys)
# Test with x-auth-sudo-project-id header
- if CONF.dns_feature_enabled.enforce_new_defaults:
+ if CONF.enforce_scope.designate:
expected_allowed = ['os_system_admin']
else:
- expected_allowed = ['os_admin']
+ expected_allowed = ['os_admin', 'os_system_admin']
self.check_list_show_RBAC_enforcement(
'ZoneImportsClient', 'show_zone_import', expected_allowed, False,